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Abstract 

The specification and derivation of substitution for the de Bruijn representation of A- 
terms is used to illustrate programming with a function-sequence monad. The resulting 
program is improved by interactive program transformation methods into an efficient im- 
plementation that uses primitive machine arithmetic. These transformations illustrate new 
techniques that assist the discovery of the arithmetic structure of the solution. 


Introduction 

Substitution is one of many problems in computer science that, once understood in one context, 
is understood in all contexts. Why, then, must a different substitution function be written for 
every abstract syntax implemented? This paper shows how to define substitution once and use 
the monadic structure of the definition to instantiate it on different abstract syntax structures. 
It also shows how to interactively derive an efficient implementation of substitution from this 
very abstract definition. 

‘The authors are supported in part by a grant from the NSF (CCR-9101721) and by a contract with Air 
Force Material Command (F19628-93-C-0069). 
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Formal methods that support reasoning about free algebras from first principles based on 
their inductive structure are theoretically attractive because they have simple and expressive 
theories. However, in practice they often lead to inefficient algorithms because they fail to 
exploit the “algebras” implemented in computer hardware. This paper examines this prob- 
lem by giving a systematic program development and then describing a series of (potentially) 
automatic program transformations that may be used to achieve an efficient implementation. 

The particular program development style employed is based on the categorical notion of a 
monad. This approach to program development has been advocated by Wadler[18, 19] and is 
strongly influenced by Moggi’s work on semantics[15]. The substitution algorithm for A-calculus 
terms represented with de Bruijn indexes serves as a case study. 

The algorithm is mechanically transformed into first-order equations by previously pub- 
lished techniques. It is then refined to an equivalent first-order specification using first-order 
program transformation techniques. Finally the program is transformed to introduce standard 
arithmetic and boolean operators, thus achieving an efficient algorithm. 

1 The Case Study: de Bruijn Representation 

The de Bruijn representation of terms in the A-calculus avoids the problems of bound variable 
names by using indexes to represent variables [5, 6]. The index assigned to an occurrence of a 
variable is the number of A’s in the abstract syntax tree between the occurrence and the A that 
binds the variable. For example, the term: 

Xu. (An. uv(Xw. uvw))(Xz. zu) (1) 

is represented by: 

A.(A.10(A.210))(A.01) (2) 
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This representation is most easily visualized by looking at the tree representing the term, which 
is given in Figure 1. 

Free variables in A-terms are also represented by indexes. The index of a free variable is 
an index greater than the number of As on the path from the root to its occurrence. Two free 
variables are equal if, when placed in a context binding them, they would be equal as bound 
variables. For example, in (2), when the subterm (A. 2 1 0) is considered out of context, indexes 
2 and 1 represent distinct free variables. 

The de Bruijn representation has the advantage that ci-congruent A-terms have identical 
representations. There is also no need to calculate sets of free and bound variables when 
performing substitution. Substitution is still not trivial, however, since indexes require adjust- 
ment as terms are moved into different binding contexts. This paper develops and refines a 
substitution algorithm for terms that use the de Bruijn representation. 

To illustrate substitution, consider contracting the redex in (1). This yields 

Xu.u(Xz. zu)(Xw.u(Xz. zu)w) (3) 

The contraction of the redex is expressed in the substitution calculus as: 

[uv(Xw. uvw)\(v i — ^ A,?, zu) 

The substitution ( v i— ► X z. zu) is technically defined as a function from all variables to terms. 
It is more formally written as (id \ v i— ► X z. zu), that is, as the identity function perturbed at 
v to yield Xz. zu. This substitution will be called a. 

The contracted term (1) is represented by: 

A. 0 (A. 0 1) (A. 1 (A. 0 2) 0) (4) 

Figure 2 illustrates this term as a tree. Note that, after the contraction, the de Bruijn represen- 
tation of the term that replaced v occurs with two distinct representations, A. 0 1 and A. 02, and 
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Figure 1: Tree representation of 
Xu. (An. uv(Xw. uvw))(Xz. zu). 
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Figure 2: Representation of the 
contracted term. 


the indexes associated with the occurrences of u within the scope of v in (2) are decremented 
in (4) because the A binding v was removed in the contraction. 

To express substitution directly with the de Bruijn representation these index adjustments 
must be defined. Earlier work of Hardin and Levy and of Abadi and others on term calculi with 
explicit substitutions expressed these adjustments in terms of simple operations [1, 10, 9, 14]. 
Whenever a substitution enters a new binding context (i.e. a A), the substitution function must 
be shifted to accommodate the new mapping of indexes to variables. For example, if 0 was 
mapped to Xx. x (technically AO in de Bruijn form) outside the A, then inside the A the index 
1 must be mapped to Xx. x. 

A second operation, lift, adjusts the indexes representing non-local variables, such as u in 
the example above. Every time a new binding context is entered, the value of the substitution 
function on every point in the domain must be lifted. Thus, the substitution a expressed in 
de Bruijn notation is 1 : 

cr(O) = AO 1 

J The coercion of numbers to terms implicit here will become explicit in the programs developed below. 
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a(n + 1) = n 

In the algorithm developed below an indexed family of functions is defined that gives the 
appropriately “lifted and shifted” substitution function for each binding context. This family 
will be generated inductively from the substitution a. The first element of the family, op, is 
the substitution a. The second substitution in the family, op, is obtained from op by shifting 
the domain and lifting all terms in the image. This gives opO = 0, opl = A. 0 2 and op (n + 2) = 
(n+ 1). In this case, these are the only substitutions needed, but in general any number may be 
required. The key to this development is to calculate this sequence of functions and then use a 
generic recursion scheme, such as that provided by the map function, that has been specialized 
to select the function from the family appropriate to the context. 

The shifting transformation is easily captured by the approximate recurrence: op+iO = 0 
and op_|_i(n + 1) ~ opn. To make it exact it is necessary to lift opn. This is done by another 
sequence of functions: 


fon = 

n + 1 

/i0 = 

0 

fi(n+l) = 

n + 2 

h o = 

0 

h 1 = 

1 

f 2 (n + 2) = 

n + 3 


Observe that in the example a single application of f\ to the body of opl accounts for A. 0 1 
being lifted to A. 0 2. In general the /; are generated by /;+i0 = 0 and fi+\{n + 1) = (fin) + 1. 
Families of functions may be applied by a map functional that applies the ith member of the 
family to all indexes in the term in the scope of i As (otherwise map leaves the structure of the 
term unchanged). Given map , the family of substitution functions, (op, op, . . .), is generated 
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by the initial substitution, op, and the recurrence: 

<?i+i 0 = 0 

<J t+1 (n +1) = map (/ 0 , /i, • • •) ( cr t n ) 

The map function can be used again to apply the family of substitution functions, (op, aq, . . .), 
to a term. This, however, results in terms of terms, since every variable has replaced its index 
by a term. This is not a problem, however, because the Term type constructor developed below 
is designed to be a monad; monads have a polymorphic function, mult, which performs the 
requisite flattening. 


2 Monads 

A monad is a concept from category theory that has been used to provide structure to semantics[15] 
and to functional programs[19]. In the computer science setting a monad is defined by a para- 
metric data type constructor, T, and three polymorphic functions: 

map : (a — ► fi) — ► Ta — ► Tf3 
unit : a — ► Ta 

mult : TTa Ta 

The map function is required to satisfy: 

map id a = idx a 
map (fog) = map f o map g 

The polymorphic functions unit and mult must satisfy: 

mult a o unitxa = idxa 
mult a o (map unit a ) = tdx a 

mult a o multx a = mult a o (map mult a ) 

A simple example of a monad is list. For lists, map is the familiar mapcar function of Lisp, 
unit is the function that produces a singleton list, and mult is the concatenate function that 
flattens a list of lists into a single list. Other examples of monads are given by Wadler[19]. 
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Several categorical concepts are implicit above. The functional programming category has 
types as objects and appropriately typed functions between them as arrows. (Values are viewed 
as constant functions — arrows from the one element type. For the purpose of this paper types 
may be interpreted concretely as sets.) The requirements on map specify that the type con- 
structor T and the map function together define a functor. The three laws given for unit and 
mult are the monad laws. By virtue of their parametric polymorphic types, unit and mult are 
natural transformations[17 ]. That is, they satisfy the following equational properties: 

unit of = map f o unit 
mult o map f = ( map(map /)) o mult 

Monads have been used to structure programs (and semantics) because it is often possible 
to characterize interesting facets of a specification as a monad. Algorithms to exploit the 
particular facet may frequently be expressed in terms of the map , unit and mult functions with 
no explicit details of the type constructors. 

3 The Term Monad 

3.1 Naive terms 

Term structures and substitution are natural candidates for the application of monads. In this 

section monads are illustrated by terms without binding structure. In the next section the full 

substitution algorithm for de Bruijn terms is given in a monadic setting. 

Consider the very simple term data type: 

datatype Term'(a) = Var(a) 

| App( Term! (a) * Term' (a)) 

It is easily verified that Term' is a monad. The map, unit and multiplier, given in Figure 3, 
are easily calculated from the definition with the techniques of Hook, Kieburtz and Sheard[ll]. 
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map f ( Var x) 
map f ( App(t , t')) 

unit 


Var(f x) 

App(map f t, map f t r ) 
Var 


mult ( Var x) = x 

mult ( App(t , t')) = App(mult t, mult t r ) 

Figure 3: Definition of the map, unit and multiplier for Term'. 

Taking the viewpoint that a substitution is a function from variables to terms, it is natural to 
associate the type a — ► Term' {(3 ) with a substitution function. It is then meaningful to apply 
the map function of the monad to a substitution, which yields a Term' ( Term' (fi)). 

This intermediate “term-term” is the least intuitive aspect of the example. Essentially a 
term over type a has been converted to a term-term over (3 by replacing the ci-values with 
/3-terms, but not the Var constructors that had been applied to them. The multiplier function, 
which has the type Term' (Term' (a)) — ► Term' (a), is exactly what is needed to clean up this 
situation. In this case it removes the residual applications of the Var constructor in the term- 
term. 

In summary, if a is an appropriately typed substitution function, the action of the substi- 
tution on the simple term type above is given by: 

mult o map a 

This use of the multiplier and the map together to obtain a function of type T(a) — ► T([3) from 
a function / of type a — ► T([3) is called the natural extension of /. Monads can be defined in 
terms of natural extension and unit. 
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3.2 Terms with binding 


The development in Section 1 suggests that the specification of the substitution operation 
will be straightforward in a monadic data type with an appropriate map. The following type 

declaration extends the naive type above with A-abstraction: 

datatype Term(a) = Var(a) 

| Abs(Term(a )) 

| App( Term(a) * Term(a)) 

Note that even though the de Bruijn representation will use Term(Nat), Term is specified to 
be a parametric type constructor. This provides the structure to support the definition of 
mult, which will have type Term(Term(a )) — ► Term(a). It also gives map , mult and unit 
the polymorphic types that enable the assertion of the “free theorems” characterizing them as 
natural transformations[17]. 

As above, it is possible to automatically generate map, mult and unit functions for this type 
realizing a monadic structure. Unfortunately, the map function obtained with those techniques 
does not work with families of functions. 

To accommodate the function sequences a new category, FunSeq, is used. The objects are 
data types, as before, but the morphisms are sequences of functions (formally Hom(A,_B) = 
(B a Y). Identities are constant sequences of identities from the underlying category; composi- 
tion is pointwise, i.e. o (gi) iew = (/; o gi) iew . 

The map function for Term exploits the new structure by shifting the series of functions 

whenever it enters a new context. Its definition is given as a functional program: 

map (/o, /i ,---)( Var x) = Var(f 0 x) 

map ( f 0 ,fi , . . .) (Abst) = Abs(map (/i, / 2 , • • •) t) 

map (/ 0 ,/i, • • •) ( App(t,t ' )) = App(map (/ 0 ,/r, map (/ 0 ,/r, • • •) t r ) 

It is easily verified that ( Term, map) satisfy the categorical definition of a functor. 

Looking at these definitions, it is clear how to insert an ordinary function or value into the 
category, and it is straightforward to insert the families of functions needed for the example by 
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giving the initial element of the sequence and the functional that generates all others. Thus, 
one way to realize the map function of FunSeq in a functional programming setting is with 
the map-with-policy function introduced in Hook, Kieburtz and Sheardfll]: 
map-with-policy Z f ( Var x) = Var(fx) 

map-with-policy Z f ( Abs t) = Abs(map-with-policy Z ( Zf ) t) 

map-with-policy Z f ( App(t , t')) = App(map-with-policy Z f t, 

map-with-policy Z f t r ) 

In this encoding Z is the functional that generates the sequence and / is the seed value. That 
is, 

map (f,Zf,Z 2 f,...) = map-with-policy Z f 

The name map-with-policy refers to the notion of policy function introduced by Kieburtz[12, 11]. 
The unit and mult functions automatically generated for Term are: 

unit = Var 

mult ( Var x) = x 

mult (Abs t) = Abs(mult t) 

mult ( App(t , t')) = App(mult t, mult t r ) 

These may be lifted to FunSeq by forming the trivial families (unit, unit, . . .) and (mult, mult, . . .). 
Simple induction proofs show that they satisfy the monad laws. 

With these definitions in place the complete definition of substitution is given in Figure 4. 
Note that the algorithm makes no explicit mention of the data constructors. It only uses 
the information about the type implicit in the definition of map-with-policy , unit and mult. 
Appendix A proves this algorithm is correct with respect to the calculus of explicit substitutions 
of Curien, Hardin and Levy [10, 9]. 

4 Transformation to a First-Order Set of Equations 

To obtain a practical algorithm, the substitution function applysubstitution in Figure 4 must 
be made more efficient. This section shows how this transformation can be done automatically. 
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fun applysubstitution gq M = 
let fun SUCC X = X + 1 
fun lift f 

= An. if n = 0 then 0 else 1 + f(n — 1) 
fun shift a 

= An. if n = 0 then unit 0 

else map-with-policy lift succ (cr(n — 1)) 
in mult(map-with-policy shift Go M) 

end 


Figure 4: Substitution function 


Program transformation systems operate on systems of first-order equations. To apply them 
to the algorithm of substitution the higher-order facets must be translated into first-order 
structures. A partial evaluation system is used to accomplish this. 

The software allowing a complete automatic transformation is not yet written. The trans- 
formations below have been performed with the Schism partial evaluator [8], the program called 
Firstify [3] which performs the Reynolds Algorithm [16] and the Astre program transformation 
system [4]. 

4.1 Transformation of the map-with-policy Operator 

The first step is to rewrite the program using the map-with-policy operator for the type Term(a) 
as a system of first-order functions. A partial evaluator can be used to specialize higher- 
order functions decreasing their order level. For example, consider the particular function 
Go in the example in Section 1, and the call applysubstitution Go. A partial evaluator pro- 
duces a program that does not contain applysubstitution in its full generality; it specializes 
the definition of applysubstitution for the particular constant gq. This specialization, called 
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applysubstitutiorucr o, does not have a function as an argument, so it is first-order. 

Unfortunately, this technique is insufficient for processing calls of map-with-policy , which is 

called twice in the program in Figure 4. The specialization of map-with-policy for a particular 

policy function K and seed function go gives the following function Mwp-g: 

Mwp-g (g, Var(n)) = Var(g(n)) 

Mwp-g ( g,Abs(t )) = Abs(Mwp-g(K g,t )) 

Mwp-g (g,App(t,t r )) = App(Mwp.g(g, t), Mwp.g(g, /')) 

The function Mwp^g has a function as an argument. But if it is specialized for a particular 

function go, the partial evaluator has to specialize the internal call Mwp-g(K g,t)', it loops on 

this attempt. Fortunately, the partial evaluator is able to detect this circumstance, allowing 

it to select another technique. The alternative technique translates the higher-order functions 

into a system of first-order functions. This standard encoding, which is due to Reynolds [16], 

is implemented in a program called Firstify [3]. Let us outline below how it works with the 

map-with-policy operator. 

1. The first step constructs a data type that encodes how the higher-order arguments are 
manipulated and applied. In this case the functions to be encoded are go and K g. For 
the constant function, go, a constant C is introduced as a summand in the data type Func. 
The argument K g cannot be encoded by a simple constant value because it contains g 
as a free variable. Since g is a higher-order parameter, it will already be represented by 
a value of type Func. Hence the new constructor, F, representing the application of K , 
must have type Func — ► Func. This gives the data type Func, defined 

datatype Func = C\ F(Func). 

The introduction of this type is a rediscovery of the sequence of functions go,g\,... 
because it encodes each function in the family. The function go is encoded by C, and the 
function go, for example, is encoded by F(F(F(C ))), which is written F 3 . 
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2. The functions appearing as actual arguments are replaced by their encodings. The argu- 
ment functions do not exist anymore — they are replaced by first-order data. In the call 
Mwp-g(go , iff), go is no longer a function but a first-order value, [h/o] , of type Func. The 
definition of Mwp^g leads to the new function Mwpjg'\ 

Mwp-g'( \g ~\ , Var(n)) = Var( \g~\(n)) 

Mwp-g'(\g],Abs(t )) = Abs(Mwp.g'(F(\g]),t)) 

Mwp-g'(\g],App(t,t ' )) = App(Mwp.g'(\g],t), Mwp.g'(\g],t')) 

But since \g~\ is not a function, the application \g~\(n) is nonsense. 

3. To make sense of the applications of functional parameters in the original programs 
“application” functions are introduced. Specifically the function apply_g , defined below, 
decodes applications of the form \g~\(n). 

apply-g(C,n) = g 0 (n) 

apply. g(F(\g\),n) = (K An. apply.g(\g\,n))(n). (5) 

Note that apply_g is a first-order function because its argument, ["</], is an element of 

the type Func. The definition of the policy function K is unfolded to get a first-order 

expression of apply-g(F( ["</] ), n). The definition of Mwp-g 1 can be completed into: 

Mwp-q'( To] , Var (n) ) = Var(apply-q( To] , n) ) 

Mwp-g'(\g],Abs(t )) = Abs(Mwp.g'(F(\g]),t)) 

Mwp.g'{ |Y| , App(t, /')) = App{Mwp-g'{ \g ] /), Mwp.g'( \g ] , /')) 

This encoding is done with respect to a specific call of map-with-policy Z go M. In the 
program in Figure 4 there are two such calls. The new functions corresponding to Mwp^g and 
apply^g constitute a first-order program equivalent to the functions generated by map-with-policy . 

4.2 Application to applysubstitution 

Using the preceding techniques, the function applysubstitution is successfully transformed 
into the first-order program in Figure 5. For a given substitution op , partial evaluation of 
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fun applysubstitutionjdo(M) = 

let fun apply -f (SUCC, n) = s(n) 

| apply -f (FSEQ ( /) , n) = if n = 0 then 0 

else s( apply J(f,n - 1)) 
fun Mwp-f(f, Var(n)) = Var(apply-f(f,n )) 

| Mwp-f(f , Abs(t)) = Abs(Mwp-f(FSEQ(f),t )) 

I Mwp-f(f, App(t , /')) = App(Mwp-f(f, t ), MwpJif, /')) 

fun apply (SO, n) = (To( ra ) 

| apply -cr(SUBST((j), n)= if n = 0 then ura’f(O) 

else Mwp-f(SUCC. , (apply-a(a, n — 1))) 
fun Mwp-a(a, Var(n)) = Var(apply-a(a,n)) 

| Mwp-a(a, Abs(t)) = Abs(Mwpjcr(SUBST(a),t )) 

| Mwp-a(a, App(t, t')) = App(Mwp-a(a,t), Mwp-a(a,t')) 

in mult(Mwp-o(SO ; M )) 
end 


Figure 5: First-order Program 

an instance apply substitution do specializes the function apply substitution into a function 

apply substitution-do. The data type Subst and the data type Fseg are introduced using the 

program Firstify which implements Reynolds’ techniques for the encodings of lift and shift. 

datatype Subst = SO datatype Fseq = SUCC 

| SBBSF(Subst ) | FSEQ(Fseq) 


These two data types are isomorphic to the data type Nat which is implemented effi- 
ciently in the hardware 2 . However, the specialized function Mwp-d does not exploit the ef- 
ficient implementation since it uses the (essentially unary) representation of the data type 
instead. Thus, the function apply-d must peel off all of the data constructors each time Mwp-d 
is applied to Var(n). For example, after three levels of abstraction, d 3 is represented by 
SUBST(SUBST(SUBST(SQ))). (The same is also true of the function Mwp-f .) To eliminate 
this inefficiency, which was present in the calling behavior of the original algorithm, the data 
2 The constructors for the data type Nat are 0 and s, i.e. datatype Nat = 0 | s(Nat). 
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types Subst and Fseq must be changed to the uniform data type Nat. This transformation can 
be performed automatically by Astre. Ultimately the explicit use of Nat will facilitate the use 
of primitive arithmetic in the program. 

5 Simple Transformations 

The following two simple transformations are performed automatically by Astre after introduc- 
ing new function symbols. The first one introduces indexes to count the level of abstractions. 
The second replaces the composition of Mwp with the function mult by a single function. The 
order of these transformations does not matter; they can be done simultaneously. 

For technical reasons recursive definitions of the form 

g(n) = if n = 0 then e\ else e 2 

are manipulated more effectively by Astre in the equivalent form: 

0(0) =[ei](ni-> 0 ) 

g(s(n)) = [e 2 \{n ^ s(n)) 

This restriction of the form of equations ensures the termination of the rewriting used by Astre 
to unfold the definition of g. 

5.1 Introduction of Indexes 

The isomorphism between the automatically generated type Subst and the natural numbers is 

made explicit by introducing the function iso-o : Nat — ► Subst: 

fun iso-o(s(i)) = SUBST(iso-o(i)) 

| iso-cr { 0) = SO 

The functions apply-<j and Mwpja are replaced by the new functions a(i,n ) (for a i(n)) and 
Mwp-o' , respectively. These functions satisfy a(i,n ) = apply (iso j&(i),n ) and Mwpjcr'(i,n) = 
Mwp-(j(iso-(j(i),n). Using these new equations, the Astre system implements the data type 
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fun applysubstitutionjCTo(M) = 

let fun/(0,ra) = s(n) 

\f(s(i),0) =0 

\ f(s(i),s(n)) =s(f(i,n )) 

fun Mwp-f'(i, Var(n)) = Var(f(i,n )) 

| Mwp-f (i, Abs(t)) = Abs(Mwp-f(s(i),t)) 

| Mwp-f'(i , App(t , /')) = App(Mwp-f'(i, t), Mwp-f'(i , /')) 

fun <r(0, ra) = (7o(n) 

|(j(s(i),ra) = unit( 0) 

| (j(s(i), s(n)) = Mwp-f'(Q,cr(i,n)) 

fun Mwp-cr' (i , Var(n)) = Var(a(i,n )) 

| Mwp-a'(i, Abs(t)) = Abs(Mwp-cr' (s(i) , t )) 

| Mwp-a'(i, App(t , /')) = App(Mwp-a'(i , /), Mwp-a'(i, t')) 

in mult(Mwp-(j / (0, M)) 

end 

Figure 6: Program with indexes 

Subst using the data type iVaf. New functions to implement the data type Fseg using iVaf are 
also provided to the Astre system which then gives the program in Figure 6. The program in 
Figure 6 does not improve the performance of the program in Figure 5. However, its explicit 
use of numbers is key to the improvements presented in the next section. 


5.2 Composition Step 

The transformation continues with a simple (automatic) step that replaces the composition of 
mult with Mwp-o' by a single function. 3 This is accomplished automatically by the introduction 
of a function symbol, Ewp , which is equated to the composition of mult with Mwpjj ' , i.e. , 
Ewp( 0, M) = mult(Mwp-cr'( 0, M)). Astre gives a program which uses neither mult, nor Mwp-o' 

3 Ewp is a mnemonic for extension with policy. 
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fun applysubstitution-(To(M ) = 

let fun/(0,n) = s(n) 

\f(s(i),0) =0 

\ f(s(i),s(n)) = s(f(i,n)) 

fun Mwp(i, Var(n)) = Var( f(i,n )) 

| Mwp(i, Abs(t)) = Abs(Mwp(s(i),t )) 

| Mwp(i , App(t , /')) = App(Mwp(i , t), Mwp(i , t')) 
fun <r(0, ra) = <7o(^) 

|(j(s(i),ra) = unit( 0) 

| (j(s(i), s(ra)) = Mwp(0, 
fun Ewp(i, Var(n)) = a(i,n ) 

| Ewp(i, Abs(t)) = Abs(Ewp(s(i),t )) 

| Ewp(i, App(t, t r )) = App(Ewp(i,t), Ewp(i,t r )) 
in Ewp(O^M) 
end 

Figure 7: Composed Program 

that includes the following definition of Ewp : 

fun Ewp(i, Var(n)) = a(i,n ) 

| Ewp(i, Abs(t)) = Abs(Ewp(s(i),t )) 

| Ewp(i , App(t , C)) = App(Ewp(i , t), Ewp(i , C)) 

The main body of the function is then replaced by Ewp( 0, iff). The functions muli and Mwp-a ' , 
which have become useless, are removed. Since the Mwp-a' has now been eliminated, Mwp-f 
is renamed Mwp to simplify the nomenclature below. 


6 Transformation of the Sequence of the cr Functions 

The transformations in this section exploit the arithmetic arguments introduced above to im- 
prove the expensive and redundant recursive calculations in <7 and Ewp. Indeed, the transfor- 
mation aims at discovering conditionals and subtraction from a constructor-based definition of 
a binary arithmetic symbol. 

The function a(i,n ) of the transformed program is a rediscovery of the series of functions 
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(Ji(n) of Section 1. To further refine this program, a specific instance of applysubstitution op 
must be specified. In what follows, the substitution function op, needed for the contraction 
described in Section 1, is used to illustrate the specialization. Recall that op replaces variables 
of index 0 with the term A. 0 1, which is represented by Abs(App(Var(0), Var(l))). Thus, 
op(0) = Abs(App( Var(O), Var( 1))) and op(s(ra )) = unit(n). Unfolding these equations yields a 

complete constructor-based definition of a(i,n ): 

<r(0, 0) = Abs(App{ Var(0), Var{ 1))) 

<7(0, s(n)) = unit(n) 
a 0) = unit( 0) 

a(s(i), s(n )) = Mwp( 0, a(i , n)) (6) 

Since the equational program is complete with respect to Nat * Nat, the computation of any 

instance of a(i,n) results in a ground constructor term. For example, <7(4, 2) yields: 

d(s(s(s(s(0)))),s(s(0))) (7) 

Mwp(0,a(s(s(s(0))),s(0))) -► (8) 

Mwp(0, Mwp(0, a(s(s(0)), 0))) V ar(s(s( 0))) 

Rewrites (7) and (8) are unfoldings by equation (6). Computation of any instance of a(i, n) by 
naturals can begin with unfoldings using (6) until a subterm, a(u,v), in which u and/or v are 
equal to 0 is obtained. 

This suggests a target program of the form: 

a(i, n) = if i > n then e\ else if i = n then e 2 else e 3 

where e\, and e 3 are expressions. The transformation will be beneficial if these expressions 
are efficient. This step introduces a form of function definition by a conditional (instead of 
structural induction) that violates the technical restriction on programs used to assure termi- 
nation of rewriting as required by the Astre system. Presently, Astre does not perform this 
part of the transformation. Moreover, the transformation does not directly generate the con- 
ditional; instead it generates the complete definition: cr(s(i) + k,k) = u\, a(k,k) = 112 and 
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cr(k, s(n) + k) = M 3 . This definition, which is no longer constructor-based, is translated directly 
into a conditional following the pattern above. 

6.1 First Transformation Step 

The general strategy of the two transformation steps that follow is to discover arithmetic 
operations implicit in the recursion structure of programs. The goal of the first transformation 
step is to find the conditional and subtraction from a constructor-based definition of a binary 
arithmetic symbol which is a simultaneous iterator like a. Such functions follow the following 

general pattern for simultaneous iterators: 

< 2 ( 0 , 0 ) = t 
G(s(i), 0) = hfai) 

< 2 ( 0 , ■s(n)) = h 2 (n) 

G(s(i),s(n )) = <p(G(i,n)) 

For example, the constructor-based presentation of the function computing the maximum (or 

the equality) of two natural numbers follows this general pattern. The first step in this process 

is a definition that makes the iteration structure of functions explicit. A function G computes 

(2(6,2) as ip(ip(G{ 4,0))) = fa 2 (hfafa)) . In the same way, it computes (2(3,7) as ip 3 (h 2 (3)), and 

(2(4,4) as ip 4 ( / ). The results are the same with a function G following the conditional pattern: 
G(i, n) = if i > n then ip n (h\(i — n — 1 )) else if i = n then ip n (t) else ipfah 2 (n — i — 1 )) 

The number k of applications of the function ip denoted by <p k is made explicit by an index k 
in the following definition: 

Definition 1 Let x be a variable of type a, let y; be a term of type fa for each i = 1, • • • , n, 
and let ip be a function of type fa ■*■■■■* a ■*■■■■* (3 n a. The function (p of type Nat * (fa * 
• • • = 1 = a * • • • * fa n ) a is defined by: 

fa(s( k )i (Vi, Vn)) = v(yi, • • • , kp{k, ( 2 / 1 , • • • , x, ■ ■ ■ , y n )), ■ ■ - ,y n ) 

fafafay 1 ,- ■ - ,x,- ■ - ,y n )) = x 
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Proposition 1 

0(kfayi, • - • , <^( 2 / 1 , - • - , 2 /, • • -,y n ), ■ ■ -,yn)) = v(yi, ■ ■ ■ -,y, ■ ■ -,y n )), ■■■,y n ) 

Proof: By induction on k. □ 

An immediate consequence of Definition f is 0(1, x) = fax ), where x : fa * • • • * a * • • • * fa. 

Having made the iteration structure of functions explicit, the next theorem helps program 
transformations exploit that structure. To simplify the exposition, consider the case in which 
<p : a a. In this case 0 : Nat* a — ► a and cp(k, n) = <p k (x ), where p> k denotes k applications of 
<~p. Suppose now that / : Nat* Nat -* a satisfies the equation: f(s(i),s(n )) = <p(f(i,n )); then 
/( 4, 7) = cp 4 ( f( 0, 3)) = 0(4, /( 0, 3)). More generally, f(i + k,n + k) = 0(k, f(i , n)). In fact, if 
F : Nat*Nat — ► a then F is a simultaneous iterator if and only if 0(k, F(x, y)) = F(x + k , y + k), 
which is the result expressed by Theorem 1. 

Theorem 1 Assume f of type Nat 71 — ► a, let y; be a term of type fa for each i = 1, • • • , n, and 
let p be a function of type fa *■■■ * a * ■■■ * fa n a. Fhe following are equivalent: 

1. f(s(x 1 ), • • -,s(x n )) = <p(yi,- ■■J(x l , ■ --,x n ), ■■■,y m ) 

2. 0(k, (r/r, • - • , f(x t , • • • , x n ), • • • , y n )) = f(x t + k, ■ ■ ■ , x n + k) 

Proof: That 1 implies 2 is obvious by instantiating A; to 1. The converse is proved 
by induction on fc. □ 

To apply this theorem to (6), let MwpO(x) be Mwp(0,x ) and introduce the equation: 

MwpO(k , a(i, n))) = a (i + k,n + k) 

This gives the equational definition of a(i,n ): 

cr(s(i) + k, k) = MwpO(k, unit( 0)) 

a(k,k) = MwpO(k, Abs(App(Var( 0), Var(l)))) 

o(k, s(n ) + k) = MwpO(k , unit(n)) 
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This definition can be rewritten in the conditional form described at the beginning of the section 
with 

e\ = MwpO(n , unit( 0)) 

e 2 = MwpO(i, Abs(App( Var(0), Var(l)))) 

e 3 = MwpO(i , unit(n — i — 1)) 

6.2 Second Transformation Step 

The second transformation step transforms the expressions ei, e 2 and e 3 . The definition of 
MwpO of type Term —> Term, obtained by Definition 1, refers to the (inefficient) function 
MwpO. To get an efficient program an alternative (but equivalent) definition of MwpO that 
does not refer to MwpO must be generated. Theorem 2 addresses this issue. 

To introduce Theorem 2, consider the function upto. Informally, upto(i, n) = \i, i-\- 1, • • • , n\. 
The function upto satisfies upto(s(i),s(n)) = map s upto(i,n). Let maps be the specialization 
of the definition of map by s: 

maps [] = [] 

maps ( x :: xs) = s(x) :: (maps xs) 

The operators [] and :: are the constructors of the data type List(a). By Theorem 1, 

(maps) ( k , upto(i , n)) = (maps) k ( upto(i , n)) = upto(i + k,n + k) 

Theorem 2 will yield the following recursive definition of (maps) k , (that is of maps); it does 
not refer to maps. 

(maps) k [] = [] 

(maps) k (x :: xs) = s k (x) :: ((maps) k xs) 

Note, in this definition (maps) k is the function being defined. It is to be regarded atomically; 
maps is neither defined nor referred to. 
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Theorem 2 Let y; be a term of type fa for each i = 1, • • ■ ,n, let ip be a function of type 


fa *••• * a *•••*/?„—>■ a, anrl let C be a constructor of type a. The following are equivalent: 

1. fay x , ■ --,C{x i, • • -,x n ), ■ ■ -,y n ) = Cfafaxfa, ■ ■■,<p n (x n )) 

2. Lp(kfay 1 ,---,C(x 1 ,---,x n ),---,y n )) = C(fa(k, xfa, ■ ■ • , fafak, x n )) 

Proof: That 1 implies 2 is obvious by instantiating A; to 1. The converse is proved 
by induction on fc. □ 

If C is a constructor of arity zero, Theorem 2 degenerates to the two equations 

TiVii- ■■,C,---,y n ) = C 
< f(k,(y 1 ,---,C,---,y n )) = C 

To apply this result to MwpO , recall that MwpO(x) = Mwpfa,x) and that: 

Mwp(i, Var(n)) = Var(f(i,n )) 

Mwp(i, Abs(t)) = Abs(Mwp(s(i),t )) 

Mwp(i, App(tfa')) = App(Mwp(i,t), Mwp(ifa')). 

Introduction of the specializations fo(x) = /( 0,x), and Mwpl(x) = Mwp(l,x) allows the 

application of Theorem 2, producing: 

MwpO(k, Var(n)) = Var(f 0 (k,n )) 

MwpO(k, Abs(t)) = Abs(Mwpl(k,t)) 

MwpO(k, App(sfa)) = App(MwpO(k, s), MwpO(kfa)). 

It is easy to show that fo = s because /( 0, x) = s(x), and that s(k, a) = a + k by induction on 
k. Therefore MwpO(k , Var(n)) = Var(fo(k,n)), which is equivalent to Var(s(k,n)), which can 
be rewritten Var(n + k). Although this appears to have progressed, it is incomplete because 
Mwpl is still defined in terms of Mwpl. Attempts to define Mwpl by this method, however, 
will require the function Mwp2; this would continue forever. Fortunately, there is another way 
in which Theorem 1 may be applied to (6), yielding the equation Mwp(k,(0,a(i,n ))) = a(i + 
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k,n + k). Applying the same transformation as above produces another conditional definition 

of a(i, n ) with e\ = unit(n), €2 = Mwp(i, (0, Abs(App( Var( 0), Uar(l))))) and €3 = unit(n — 1). 

Application of Theorem 2 produces a recursive definition of Mwp that does not refer to Mwp: 

Mwp(k,(i, Var(n))) = Var(f(k,(i,n ))) (9) 

Mwp(k,(i, Abs(t))) = Abs(Mwp(k,(s(i),t ))) 

Mwp(k, ( i , App(s, t ))) = App(Mwp(k, (i, s)),Mwp(k, (i, t))) 

The transformation is not yet finished. Equation (9) remains to be improved by Ending a 
recursive definition of / that does not refer to the function /. 


6.3 Transformation of / 

Recall the equations for /: 

/(0, n) = s(ra) (10) 

/(s(i),0) = 0 (11) 

/(s(i),s(n)) = s(/(i,n)) (12) 

Applying Theorem 2 to (12) yields: 

/(£;, (s(i), s(n))) = s( f(k , (i, n))). (13) 


This suggests attempting a conditional definition for /. Using equations (10), (11), (12), 

Theorem 2, Theorem 1, and Definition 1 produces: 

f(k , (0, s(n))) = s(s(k, n)) = s(n + k) (14) 

f(k,(s(i), 0)) = 0 (15) 

f(k, (0,0)) = & (16) 


Applying Theorem 1 to (13) gives: f(k,(i + p,n + p)) = s(p, f(k,(i,n))) = f(k, (i, n)) + p. 

Applying that to equations (14), (15), (16) produces 

f(k,(s(i) + p,p)) = p 

f(k , (p, s(n ) + p)) = n + l + k + p 

f(k,(p,p )) = k+p 
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fun applysubstitutionjCTo(M) = 
let fun Mwp(k, (i, Var(n))) 

| Mwp(k , (i, Abs(t ))) 

| Mwp(k , (i, App(t , T))) 
fun <r(i, n) 


fun Ewp(i , Var(n)) 

| Ewp(i , Abs(t)) 

| Ewp(i , App(t , t')) 
in Ewp(O^M) 

end 


ifi > ra then Var(n) else Var(n + k) 
Abs(Mwp(k , (s(i),t))) 

App(Mwp(k , (i, t)),Mwp(k, (i, t'))) 
if; > ra then unit(n) 
else if ; = n then 

Mwp(i, (0, Abs(App( Var( 0), Var(l))))) 
else unit(n — 1) 

<r(;, n) 

Abs(Ewp(s(i),t )) 

App(Ewp(i , t), Ewp(i , ;')) 


Figure 8: Final result 


This equational definition is equivalent to the program: 

f(k,(i,n )) = if ; > n then n else if i = n then n + A; else n + A;. 


The program simplifies to: f(k , (i, n)) = if i > n then n else n + A;. By unfolding / and by a 
well known property of the conditional, equation (9) becomes: 

Mwp(k, (;, Var(ra))) = if ; > n then Var(n) else Var(n + A;) 


Including the transformed form of <7, which comes from above, produces the program in Figure 8 
which does not perform redundant computations for and /;. The transformation involved 
in this section has been done manually. However the transformation process is systematic and 
involves equational reasoning using Theorem 1 and Theorem 2. It shows implicitly how to 
automatically transform a constructor-based definition of a simultaneous iterator function of 
type Nat * Nat — ► Nat into a more efficient conditional form. 
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7 Reuse 


Although this paper has focused on the A-calculus, the specification can be applied to virtually 
any abstract syntax with a regular binding structure, provided its type can be expressed as a 
monad and the appropriate definition of map-with-policy can be given. Figure 9 illustrates this 
by showing how the function defined in Figure 4 can be expressed in a Standard ML functor 
abstracted on the signature of a monadic abstract syntax. Given this abstract presentation, 
the substitution algorithm can be specialized to a new abstract syntax simply by Standard 
ML functor application. For example, the structure encoding the enrichment of A-terms with 
let is given in Figure 10. In this case, map-with-policy must apply Z to f when it enters the 
component in which the bound variable has been introduced. This ability to reuse specifications 
is one of the strongest arguments for the adoption of monads as a tool to structure program 
development. 

The transformation of the apply .substitution function on the enriched abstract syntax is 
essentially the same as that presented above. A simple replay mechanism should be sufficient 
to perform the transformation of the enriched program. 

8 Directions 

The program development in this paper illustrates several new techniques. It makes the 
monadic structure in the development of the algorithm explicit. It supports this structure 
with new program transformation techniques that allow the implicit use of arithmetic to be 
“rediscovered” formally. It demonstrates the feasibility of integrating tools for monadic program 
development, which tend to be higher-order, with relatively standard program transformation 
technology, which is strictly first-order. 
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signature TermMonad = 
sig 

type ’a Term 

val unit : ’a -> ’a Term 

val mult : ’a Term Term -> ’a Term 

val map : (’a -> ’b) -> ’a Term -> ’b Term 

val map_with_policy : ((’a -> ’b) -> ’a -> ’b) 

-> (’a -> ’b) -> ’a Term -> ’b Term 
val extension_with_policy : ((’a -> ’b Term) 

-> ’a -> ’b Term) 

-> (’a -> ’b Term) 

-> ’a Term -> ’b Term 

end 


functor SubstitutionFunctor (T : TermMonad) = 
struct 

open T 

fun apply_substitution sigma_0 M 
= let fun succ x = x+1 
fun lift f 

= fn n => if n = 0 then 0 else l+f(n-l) 
fun shift sigma 

= fn n => if n = 0 then unit 0 

else map_with_policy lift succ (sigma (n-1)) 
in extension_with_policy shift sigma_0 M 
end; 

end 

Figure 9: Standard ML functor for an arbitrary abstract syntax. 
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structure Let :TermMonad = 
struct 

datatype ’a Term = 

Var of ’a 

I App of ’a Term * ’a Term 
I Abs of ’a Term 
I Let of ’a Term * ’a Term; 

val unit = Var 

fun mult (Var t) = t 

I mult (App(a,b)) = App(mult a, mult b) 

I mult (Abs (a)) = Abs (mult a) 

I mult (Let(a,b)) = Let (mult a, mult b) ; 

fun map f (Var a) = Var (f a) 

I map f (App(a,b)) = App(map f a, map f b) 

I map f (Abs (a)) = Abs (map f a) 

I map f (Let(a,b)) = Let (map f a, map f b) ; 

fun map_with_policy Z f (Var a) = Var (f a) 

I map_with_policy Z f (App(a,b)) 

= App(map_with_policy Z f a,map_with_policy Z f b) 

I map_with_policy Z f (Abs (a)) 

= Abs (map_with_policy Z (Z f) a) 

I map_with_policy Z f (Let(a,b)) 

= Let (map_with_policy Z f a,map_with_policy Z (Z f) b) ; 

fun extension_with_policy Z f = mult o (map_with_policy Z f) 

end 


Figure 10: Structure encoding the abstract syntax enriched with let 
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We believe this is a general paradigm for automated program development. We are de- 
veloping a transformation system for functional programs that is a combination of automated 
strategies implemented by different tools [2]. The transformation is performed according to 
the following scheme: (1) conversion of the program into a first-order set of constructor-based 
equations E (see Section 4), (2) manipulation of E by rewriting techniques to automate dif- 
ferent strategies based on the unfold/fold method [7] (see Section 5), (3) translation of the 
constructor-based set of equations to an efficient functional program, e.g. introduction of con- 
ditionals and machine arithmetic. The case study presented here is a good (though not typical) 
example of this process. 

The system we are developing includes an algebraic programming notation with limited sup- 
port for monads[13], transformation tools for conversion to first-order (including specialization 
and Reynolds’ defunctionalization[3]), and automatic first-order transformation by rewriting 
techniques [4]. 

However, some important pieces that are required for automating the formal methods pre- 
sented in this paper are not yet implemented. For example, support of the rich monadic de- 
velopment presented in Section 1 and the use of arithmetic introduced by the transformations 
presented in Section 6 exceed the current functionality of our system. 

The paper has presented a clearly motivated and correct program development for a sub- 
stitution algorithm for A-terms. It has taken an abstract algorithm, with extensive use of 
higher-order concepts, reduced it to a first-order program, introduced index arithmetic and 
produced an efficient algorithm that exploits computer arithmetic. 

We would like to thank Richard Kieburtz, Jeffrey Bell, and our other colleagues in the 
Pacific Software Research Center at the Oregon Graduate Institute of Science & Technology. 
We also wish to thank the referees for their constructive and insightful remarks. 
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A Correctness of the substitution algorithm 


This section demonstrates the equivalence of the substitution function defined in Figure 4 to 
the definition of substitution in the calculus of explicit substitutions of Curien, Hardin and 
Levy [10, 9]. In Curien, Hardin, and Levy’s calculus with explicit substitutions, as well as in 
the other calculi proposed by Abadi, Cardelli, Curien and Levy [1] and Lescanne [14], the result 
of applying the substitution op to the term M is translated by a closure: M[mult ( map op)]. 
Note that these calculi represents substitution as functions from terms to terms, hence we use 
the natural extension of op rather than op itself. To prove the correctness of the substitution 
algorithm, it suffices to prove that apply substitution do M computes M[mult ( map op)]. 

In the proof, three equivalence relations will be used: the symbol = will be used for the 
equivalence of ML expressions, the symbol will be used for equivalence in the calculus 
of explicit substitutions, and the symbol ~ will be used for a semantic equivalence relating 
them. This semantic equivalence is generated by identity of results of computations and by 
substitution of equals for equals. 

Thus, we must show that: mult (mapjwithjpolicy shift do M) ~ M[mult (map(op)], that 
is, by definition of map-with-policy , prove: 

mult ( map(dQ , shift do, shift 2 d o ■ ■ ■) M) ~ M[mult (map(do) 

The definition of a closure, adapted from Curien, Hardin and Levy, is: 

App(M,N)[s\ ^ App(M[s], N[s]) 

( Abs M)[s] ( Abs M)[ ff s] 

(V ar n)[s] (V ar n) 

where s = mult (map do) and, ff is defined as: 

ffs(HarO) (V art)) 

ff s(V ar (n + 1)) (s(V ar ra))[j] 

with |= map succ. 
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The proof uses the following shift lemma: 


shift do ~ fl ( mult (map (Jo)). 

whose proof uses a second lemma, the lift lemma: 

M[map f 0 ] ~ map(fo, lift / 0 , lift 2 /o, • • •) M. 


Proof of the lift lemma: 

Proof: The proof is by structural induction on the structure of terms. There are 
three cases: 

1. The term M is a variable (V ar n): 

(V ar n)[map fo] ^ (map fo)(V ar n) by definition of the closure 
= V ar (fo n) by definition of map 

= map(fo, lift /o, lift 2 /o, • • •) (V ar n) by definition of map. 

2. The term M is an application App(M, N ): 

map(f 0 , lift fo, lift 2 fo, ■ ■ ■] App(M, N) 

= App(map(fo, lift f 0 , lift 2 fo, ■ ■ .) M, map(f 0 , lift fo, lift 2 fo, ...) N 
by definition of map 

~ App(M[map fo], N[map fo]) by induction 

App(M , N )[map fo] by definition of the closure. 

3. The term M is an abstraction Abs(M): On one hand, 

map(fo, lift fo, lift 2 fo, ■ ■ ■) Abs(M) 

= Abs(map(lift fo, lift 2 fo, ■ ■ ■) M) by definition of map 
~ Abs(M[map (lift fo)]) by induction. 

On another hand, 

Abs(M)[map fo] Abs(M[if (map fo)]) by definition of the closure. 


The proof is done if 

fi (map fo) ~ map (lift f 0 ). 

which can be easily proved by mathematic induction on the de Bruijn number n of 
a variable using the definition of ff and lift. □ 
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Proof of the shift lemma: 


Proof: The proof is by mathematical induction on the de Bruijn number n of a 
variable. 

1. The de Bruijn number is 0: 

shift opO = (V ar 0) by definition of shift , 


and 

ff ( mult (map gq))(V ar 0) = (V ar 0) by definition of jj\ 

2. The de Bruijn number is n + 1: On one hand, 

shift op (n + 1) = map ( succ , lift succ , lift 2 succ , . . .) (op n) 
by definition of shift 
~ (dora) [map succ] by the lift lemma. 

On another hand, 

ff (mult (map gq))(V ar(n + 1)) mult (map gq(V ar n))[f] 
by definition of ff 

= mult(V ar (a o n))[f] by definition of map 
= (a o n)[f] by definition of mult. 


Finally, the proof of correctness of the substitution function: 

mult (map(ao, shift Go, shift 2 g o • • •) M) ~ M[mult ( map(Go )]. 

Proof: The proof is by structural induction on the term structure. There are three 
cases: 

1. The term M is a variable (V ar n ): On one hand, 

(V ar n)[mult (map op)] 

mult (map (a o (V ar n))) by definition of the closure 
= mult (a o n ) by definition of map = g 0 n by definition of mult. 

On the other hand, 

mult (map (op, shift Go, shift 2 g o ■ ■ ■) (V ar n )) 

= mult (V ar(ao n )) by definition of map 
= gq n by definition of mult 


31 



2. The term iff is an application App(M, N): On one hand, 

App(M , N)[mult ( map op)] 

App(M[mult ( map ao)\, N\mult ( map op)]) by definition of the closure. 
On the other hand, 

mult ( map (op, shift op, shift 2 op . . .) ( App(M , N))) 

= mult App(map (op, shift op, shift 2 op . . .) iff 
, map (do, shift op, shift 2 op . . .) iV) 
by definition of map 

= App(mult (map (op, shift op, shift 2 ap . . .) iff), 

mult (map (op, shift op, shift 2 ap . . .) iV)) by definition of mult 
~ App(M[mult (map ao)], N [mult (map (To)]) by induction. 

3. The term iff is an abstraction iff: On one hand, 

A6s(iff)[mw// (map (To)] 

~ Abs(M [ff (mult (map (To))] by definition of the closure. 

On another hand, 

mult (map ((To, shift (To, shift 2 (To . . .) (A6s iff)) 

= mult (Abs (map (shift (To, shift 2 (To . . .) iff)) by definition of map 
= (mult (map (shift (To, shift 2 (To . . .) iff)) by definition of mult 
~ Abs(M [shift (To]) by induction 

A6s(iff[ff (mult (map op))] by the shift lemma. 


□ 
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